[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Display name attribute
From: "BENNETT,JEREMY \(HP-PaloAlto,ex1\)" <jeremy_bennett@am.exch.hp.com>
> It is unfortunate that the two both use the phrase 'Distinguished Name.'
> This implies to people that they must be the same. General purpose of each
> is even similar, provide a unique name for every one in the namespace.
> When you look further, though, you see that the needs are different.
>
> The X.509 DN is a collection of attributes that represent the holder's
> verified identity. Each attribute has a meaning in the name as well as the
> identity.
I believe this is the old way of looking at it. With v3 certificates, the
DN in the cert can still equate to the directory DN (indeed there are
good reasons why this should be the case, as this securely binds
the certificate to the repository and stops switching of certs in
directory entries without people knowing it). Then the General
Names extension can hold other attributes that help you identify the
person, if the DN on its own is insufficient. This is why we put the
email address in the extension and NOT in the DN, as you have
done in your example below.
>For example consider my two DNs:
>
> Cert: CN=Jeremy F Bennett + E=jeremy_bennett@hp.com,O=Hewlett-Packard
> Company,C=US,OU=Employees,O=hp.com
This is a rather long and convoluted DN. You could extract the email
address and company name, put that in the General Names
extension, and then the DN would again equate to the LDAP DN. As
I said above, there is a good security reason for doing this.
>LDAP: emailaddress=jeremy_bennett@hp.com,ou=Employees,o=hp.com
>
> Given my perspective, as above, of not having CN in the directory DN at
> all. I agree with the proposal for a single-valued attribute representing
> what should be used to display the entry in short list boxes.
given that jeremy_bennett is unique throughout hp.com, otherwise
the email would not work, and assuming everyone has an email
address, then cn=jeremy bennett would be just as unique and could
be used in the DN. THis would mean that a display name is not
needed.
>I don't
> think we should assume that the displayName value would be duplicated in
> the set of CNs, though.
If display name is unique, then it duplicates the functionality of
common name, does it not? The only time I see display name of
having value, is when meaningful common names cannot be unique,
so cannot be used as DNs. We therefore put meaningless stuff in
the DN to make it unique, and use display name to view the entry,
but accept that several entries will have the same display name.
David
>Each directory owner will decide which information
> is useful as a display and use that. At HP I would use a combination of
> the e-mail address and name, at umich I would have used the uniqname, at a
> small company it might only be name.
>
> Jeremy
>
> ----------------------------------------------------------------------
> Jeremy Bennett Security and Directory Engineering Infrastructure Portfolio
> Team Business Infrastructure Services (E:BIS) Hewlett-Packard Company
>
***************************************************
David Chadwick
IT Institute, University of Salford, Salford M5 4WT
Tel +44 161 295 5351 Fax +44 161 745 8169
*NEW* Mobile +44 790 167 0359 *NEW*
Email D.W.Chadwick@iti.salford.ac.uk
Home Page http://www.salford.ac.uk/its024/chadwick.htm
Understanding X.500 http://www.salford.ac.uk/its024/X500.htm
X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm
Entrust key validation string MLJ9-DU5T-HV8J
***************************************************